Security is a major concern in today's highly connected economy. Enterprises and individuals are increasing conducting monetary, proprietary, or otherwise personal transactions over the World-Wide Web (WWW) and Internet.
Moreover, it is not just secrecy that is at issue for Internet transactions. For example, malicious users are regularly attempting to infiltrate devices of unsuspecting users to install monitoring devices and/or to unleash viruses. Furthermore, this can occur with Internet transactions that users would not usually view as being private or needing any extra protection.
To address these problems, the industry has generally integrated a number of different approaches into existing WWW browser and email technologies. One approach is to issue certificates that WWW browsers automatically validate for sites being visited by users. Certificates typically have a long life. Consequently, there is an increased chance that certificates can be surreptitiously acquired and used in an unauthorized fashion. Another approach is to use short-term credentials, such as keys that expire upon events or expire after elapsed periods of time.
Short-term credentials are generally distributed by a credential issuer. Short-term credentials rely on the identity of the requestor and rely on the identity of the intended service for which the credentials are being issued. In this manner, access to the intended service requires a credential that identifies the intended service by name and that identifies the requesting user.
However, short-term credentials can also pose a privacy threat for users. This is so; because the credential issuer knows everywhere the user is going on the Internet and can track the user and track usage patterns of the user. A certificate does not experience this problem because with a certificate the user does not have to visit a credential issuer each time access to an intended service is desired. But, a certificate is not service-specific and is long lived so it may be more easily intercepted and acquired by malicious intruders to masquerade on the Internet as the user or even as the intended services that the user desires to access.
Therefore, it is advantageous to provide techniques that retain the benefits of short-term credentials and yet eliminate the privacy threat associated with conventional credential issuers.